I should also audit the term library and mark all unsafe functions as appropriate. Even though it might look convenient to not do this for performance, I do think it is important to guarantee no UB. By the way this is the same status as the mCRL2 tool set has, but the question is whether this is acceptable in a Rust library.
For example ATermInt::value() will cause UB if the term is not an integer term, so we should add a value_unchecked that is unsafe and add the check in value() to panic. Similarly for the term arguments, and the Protected. The only remaining question is whether the GcMutex is sound, and whether allowing thread local access without with_borrow() is appropriate. This latter can cause UB, but there is a proposal to change the thread local structures.
I should also audit the term library and mark all unsafe functions as appropriate. Even though it might look convenient to not do this for performance, I do think it is important to guarantee no UB. By the way this is the same status as the mCRL2 tool set has, but the question is whether this is acceptable in a Rust library.
For example
ATermInt::value()will cause UB if the term is not an integer term, so we should add a value_unchecked that is unsafe and add the check in value() to panic. Similarly for the term arguments, and the Protected. The only remaining question is whether the GcMutex is sound, and whether allowing thread local access without with_borrow() is appropriate. This latter can cause UB, but there is a proposal to change the thread local structures.